The Social App (apps.nextcloud.com/apps/social) does not validate the server TLS certificate for connections to other ActivityPub servers.
Thursday, 19 November 2020, 12:53 GMT
These connections are used to retrieve the public key for a user or posting a message to another ActivityPub server.
The public key for a user is used to validate the ActivityPub user.
The vulnerable code is:
The initRequest method disables verifying of the peer’s certificate by setting CURLOPT_SSL_VERIFYPEER to FALSE.
This code is called from CurlService.php
This issue has been tested on Nextcloud version version 188.8.131.52 with Social version 0.3.1.
An attacker can perform a man-in-the-middle attack by impersonating the victim server by using a self-signed TLS certificate.
The attacker would have to be in a privileged network position between the Nextcloud instance and the target ActivityPub server.
Update to any version up to 0.3.1